diff --git a/public/__redirects b/public/__redirects index 7070fd9e718f3ed..db30468978030de 100644 --- a/public/__redirects +++ b/public/__redirects @@ -2389,6 +2389,7 @@ /cloudflare-one/identity/users/scim/ /cloudflare-one/team-and-resources/users/scim/ 301 /cloudflare-one/applications/login-page/ /cloudflare-one/reusable-components/custom-pages/access-login-page/ 301 /cloudflare-one/applications/block-page/ /cloudflare-one/reusable-components/custom-pages/access-block-page/ 301 +/cloudflare-one/policies/gateway/block-page/ /cloudflare-one/reusable-components/custom-pages/gateway-block-page/ 301 /cloudflare-one/applications/app-library/ /cloudflare-one/team-and-resources/app-library/ 301 /cloudflare-one/applications/bookmarks/ /cloudflare-one/access-controls/applications/bookmarks/ 301 /cloudflare-one/applications/app-launcher/ /cloudflare-one/access-controls/access-settings/app-launcher/ 301 @@ -2399,9 +2400,11 @@ /cloudflare-one/identity/authorization-cookie/application-token/ /cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/ 301 /cloudflare-one/identity/authorization-cookie/cors/ /cloudflare-one/access-controls/applications/http-apps/authorization-cookie/cors/ 301 /cloudflare-one/identity/service-tokens/ /cloudflare-one/access-controls/service-credentials/service-tokens/ 301 +/cloudflare-one/identity/mutual-tls-authentication/ /cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/ 301 /cloudflare-one/applications/configure-apps/mcp-servers/mcp-portals/ /cloudflare-one/access-controls/ai-controls/mcp-portals/ 301 /cloudflare-one/applications/configure-apps/mcp-servers/saas-mcp/ /cloudflare-one/access-controls/ai-controls/saas-mcp/ 031 /cloudflare-one/applications/configure-apps/mcp-servers/linked-apps/ /cloudflare-one/access-controls/ai-controls/linked-apps/ 301 +/cloudflare-one/identity/devices/access-integrations/tanium/ /cloudflare-one/reusable-components/posture-checks/warp-client-checks/tanium/ 301 /cloudflare-one/connections/connect-devices/* /cloudflare-one/team-and-resources/devices/:splat 301 /cloudflare-one/connections/connect-networks/* /cloudflare-one/networks/connectors/cloudflare-tunnel/:splat 301 /cloudflare-one/policies/gateway/* /cloudflare-one/traffic-policies/:splat 301 diff --git a/src/content/changelog/gateway/2025-04-11-http-redirect-custom-block-page-redirect.mdx b/src/content/changelog/gateway/2025-04-11-http-redirect-custom-block-page-redirect.mdx index ee71b61be933e58..9d9139522e99533 100644 --- a/src/content/changelog/gateway/2025-04-11-http-redirect-custom-block-page-redirect.mdx +++ b/src/content/changelog/gateway/2025-04-11-http-redirect-custom-block-page-redirect.mdx @@ -12,4 +12,4 @@ You can now use more flexible redirect capabilities in Cloudflare One with Gatew - A new **Redirect** action is available in the HTTP policy builder, allowing admins to redirect users to any URL when their request matches a policy. You can choose to preserve the original URL and query string, and optionally include policy context via query parameters. - For **Block** actions, admins can now configure a custom URL to display when access is denied. This block page redirect is set at the account level and can be overridden in DNS or HTTP policies. Policy context can also be passed along in the URL. -Learn more in our documentation for [HTTP Redirect](/cloudflare-one/traffic-policies/http-policies/#redirect) and [Block page redirect](/cloudflare-one/traffic-policies/block-page/#redirect-to-a-block-page). +Learn more in our documentation for [HTTP Redirect](/cloudflare-one/traffic-policies/http-policies/#redirect) and [Block page redirect](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page). diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls.mdx index 0d65db2bebe9ca9..61b4e6f53d80a31 100644 --- a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls.mdx +++ b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls.mdx @@ -24,7 +24,7 @@ However, if you want to update the Minimum TLS settings for all wildcard hostnam ## Enable mTLS -Once you have [added a custom hostname](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/), you can enable mTLS by using Cloudflare Access. Go to [Cloudflare Zero Trust](https://one.dash.cloudflare.com/) and [add mTLS authentication](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/) with a few clicks. +Once you have [added a custom hostname](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/), you can enable mTLS by using Cloudflare Access. Go to [Cloudflare Zero Trust](https://one.dash.cloudflare.com/) and [add mTLS authentication](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/) with a few clicks. :::note Currently, you cannot add mTLS policies for custom hostnames using [API Shield](/api-shield/security/mtls/). diff --git a/src/content/docs/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication.mdx b/src/content/docs/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication.mdx similarity index 100% rename from src/content/docs/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication.mdx rename to src/content/docs/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication.mdx diff --git a/src/content/docs/cloudflare-one/reusable-components/custom-pages/app-launcher-customization.mdx b/src/content/docs/cloudflare-one/reusable-components/custom-pages/app-launcher-customization.mdx new file mode 100644 index 000000000000000..42856884904c012 --- /dev/null +++ b/src/content/docs/cloudflare-one/reusable-components/custom-pages/app-launcher-customization.mdx @@ -0,0 +1,44 @@ +--- +pcx_content_type: how-to +title: App Launcher customization +sidebar: + order: 2 +--- + +import { Render } from "~/components"; + +:::note + +Only available on Pay-as-you-go and Enterprise plans. +::: + +You can display your own branding, messages, and links to users when they open the [Access App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/). + +To customize the App Launcher appearance: + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Custom Pages**. +2. Find the **Customize App Launcher** setting and select **Customize**. +3. Give the App Launcher the look and feel of your organization by adding: + - Your organization's name + - A logo + - A preferred background color for the header + - A preferred background color for the page + - A custom footer with links to your organization's help desk or other internal resources. + +:::note + +We recommend lighter background colors because the font defaults to black. +::: + +4. Next, customize the landing page that users will see when they login to the App Launcher. Available properties include: + - A custom title + - A custom subtitle + - An image + - A preferred color for the **Log in** button + - A preferred color for the **Log in** button text + + All of the properties configured in Step 3 will also apply to the landing page. + +5. Once you are satisfied with your customization, select **Save**. + +The App Launcher screens are now updated. To view your changes, select **Preview**. diff --git a/src/content/docs/cloudflare-one/traffic-policies/block-page.mdx b/src/content/docs/cloudflare-one/reusable-components/custom-pages/gateway-block-page.mdx similarity index 99% rename from src/content/docs/cloudflare-one/traffic-policies/block-page.mdx rename to src/content/docs/cloudflare-one/reusable-components/custom-pages/gateway-block-page.mdx index b94308f150d79e8..99a05d43181ba60 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/block-page.mdx +++ b/src/content/docs/cloudflare-one/reusable-components/custom-pages/gateway-block-page.mdx @@ -2,7 +2,7 @@ pcx_content_type: how-to title: Block page sidebar: - order: 14 + order: 1 --- import { Render, Tabs, TabItem } from "~/components"; diff --git a/src/content/docs/cloudflare-one/reusable-components/posture-checks/access-integrations.mdx b/src/content/docs/cloudflare-one/reusable-components/posture-checks/access-integrations.mdx new file mode 100644 index 000000000000000..3386932605b9b4e --- /dev/null +++ b/src/content/docs/cloudflare-one/reusable-components/posture-checks/access-integrations.mdx @@ -0,0 +1,15 @@ +--- +pcx_content_type: navigation +title: Access integrations +sidebar: + order: 4 +--- + +The following device posture checks do not require the WARP client and can only be used in [Cloudflare Access policies](/cloudflare-one/access-controls/policies/). They cannot be used in Gateway network policies. + +## Supported operating systems + +| Device posture check | macOS | Windows | Linux | iOS | Android/ChromeOS | +| ----------------------------------------------------------------------------------------------- | ----- | ------- | ----- | --- |---------------------------------------------------------------------------------------- | +| [Microsoft Entra ID Conditional Access](/cloudflare-one/tutorials/entra-id-conditional-access/) | ✅ | ✅ | ❌ | ❌ | ❌ | +| [Mutual TLS](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/) | ✅ | ✅ | ✅ | ✅ | ✅ | diff --git a/src/content/docs/cloudflare-one/reusable-components/posture-checks/access-integrations/index.mdx b/src/content/docs/cloudflare-one/reusable-components/posture-checks/access-integrations/index.mdx deleted file mode 100644 index 10cf48f23204c05..000000000000000 --- a/src/content/docs/cloudflare-one/reusable-components/posture-checks/access-integrations/index.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -pcx_content_type: navigation -title: Access integrations -sidebar: - order: 4 ---- - -These device posture checks can only be enforced for Cloudflare Access applications. They cannot be used in Gateway network policies. - -| Device posture check | macOS | Windows | Linux | iOS | Android/ChromeOS | [WARP mode](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/) | -| ----------------------------------------------------------------------------------------------- | ----- | ------- | ----- | --- | ---------------- | ---------------------------------------------------------------------------------------- | -| [Microsoft Entra ID Conditional Access](/cloudflare-one/tutorials/entra-id-conditional-access/) | ✅ | ✅ | ❌ | ❌ | ❌ | WARP not required | -| [Mutual TLS](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/) | ✅ | ✅ | ✅ | ✅ | ✅ | WARP not required | -| [Tanium](/cloudflare-one/reusable-components/posture-checks/access-integrations/tanium/) | ✅ | ✅ | ✅ | ❌ | ❌ | Gateway with WARP, Secure Web Gateway without DNS filtering, or Device Information Only | diff --git a/src/content/docs/cloudflare-one/reusable-components/posture-checks/index.mdx b/src/content/docs/cloudflare-one/reusable-components/posture-checks/index.mdx index 640eb99e6d95a17..f992cb36cb0aad5 100644 --- a/src/content/docs/cloudflare-one/reusable-components/posture-checks/index.mdx +++ b/src/content/docs/cloudflare-one/reusable-components/posture-checks/index.mdx @@ -32,7 +32,7 @@ You can now use your device posture check in an [Access policy](/cloudflare-one/ :::caution[Gateway policy limitation] -Gateway does not support device posture checks for the [Tanium Access integration](/cloudflare-one/reusable-components/posture-checks/access-integrations/tanium/). +Gateway does not support device posture checks for the [Tanium Access integration](/cloudflare-one/reusable-components/posture-checks/warp-client-checks/tanium/). ::: ## 4. Ensure traffic is going through WARP diff --git a/src/content/docs/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate.mdx b/src/content/docs/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate.mdx index edced3cb4dbdf3b..0d91a1225d95f58 100644 --- a/src/content/docs/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate.mdx +++ b/src/content/docs/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate.mdx @@ -44,7 +44,7 @@ The Client Certificate device posture attribute checks if the device has a valid :::note -To generate a sample root CA for testing, refer to [Generate mTLS certificates](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/#generate-mtls-certificates). +To generate a sample root CA for testing, refer to [Generate mTLS certificates](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/#generate-mtls-certificates). ::: ## Configure the client certificate check diff --git a/src/content/docs/cloudflare-one/reusable-components/posture-checks/warp-client-checks/index.mdx b/src/content/docs/cloudflare-one/reusable-components/posture-checks/warp-client-checks/index.mdx index 4ebe78397f841b9..9a51b28fc539fb3 100644 --- a/src/content/docs/cloudflare-one/reusable-components/posture-checks/warp-client-checks/index.mdx +++ b/src/content/docs/cloudflare-one/reusable-components/posture-checks/warp-client-checks/index.mdx @@ -31,3 +31,4 @@ These device posture checks are performed by the [Cloudflare WARP client](/cloud | [Require Gateway](/cloudflare-one/reusable-components/posture-checks/warp-client-checks/require-gateway/) | ✅ | ✅ | ✅ | ✅ | ✅ | | [Require WARP](/cloudflare-one/reusable-components/posture-checks/warp-client-checks/require-warp/) | ✅ | ✅ | ✅ | ✅ | ✅ | | [SentinelOne](/cloudflare-one/reusable-components/posture-checks/warp-client-checks/sentinel-one/) | ✅ | ✅ | ✅ | ❌ | ❌ | +| [Tanium (legacy)](/cloudflare-one/reusable-components/posture-checks/warp-client-checks/tanium/) | ✅ | ✅ | ✅ | ❌ | ❌ | diff --git a/src/content/docs/cloudflare-one/reusable-components/posture-checks/access-integrations/tanium.mdx b/src/content/docs/cloudflare-one/reusable-components/posture-checks/warp-client-checks/tanium.mdx similarity index 91% rename from src/content/docs/cloudflare-one/reusable-components/posture-checks/access-integrations/tanium.mdx rename to src/content/docs/cloudflare-one/reusable-components/posture-checks/warp-client-checks/tanium.mdx index 7c65bde92f2cf5e..e473c77e3c3fe32 100644 --- a/src/content/docs/cloudflare-one/reusable-components/posture-checks/access-integrations/tanium.mdx +++ b/src/content/docs/cloudflare-one/reusable-components/posture-checks/warp-client-checks/tanium.mdx @@ -2,7 +2,7 @@ pcx_content_type: how-to title: Tanium (legacy) sidebar: - order: 4 + order: 12 head: - tag: title content: Integrate Tanium with Access @@ -16,10 +16,8 @@ Not recommended for new deployments. We recommend using the [Tanium service-to-s Cloudflare Access can use endpoint data from [Tanium™](https://www.tanium.com/) to determine if a request should be allowed to reach a protected resource. When users attempt to connect to a resource protected by Access with a Tanium rule, Cloudflare Access will validate the user's identity, and the browser will connect to the Tanium agent before making a decision to grant access. -:::caution[Gateway device posture limitation] - -The Tanium integration cannot be used with [Gateway device posture policies](/cloudflare-one/traffic-policies/network-policies/#device-posture). - +:::caution[Gateway policy limitation] +The legacy Tanium integration cannot be used in [Gateway network policies](/cloudflare-one/traffic-policies/network-policies/#device-posture). Only [Access policies](/cloudflare-one/access-controls/policies/) are supported. ::: ## Prerequisites diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/dns/dns-over-https.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/dns/dns-over-https.mdx index b319a09eb1c4a07..6eda7d53be28dc2 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/dns/dns-over-https.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/dns/dns-over-https.mdx @@ -275,7 +275,7 @@ curl --silent "https://.cloudflare-gateway.com/dns-query?name=exampl --header "CF-Authorization: " | jq ``` -If the site is blocked and you have turned on the [block page](/cloudflare-one/traffic-policies/block-page/#configure-policy-block-behavior) for the policy, the query will return `162.159.36.12` (the IP address of the Gateway block page). If the block page is disabled, the response will be `0.0.0.0`. +If the site is blocked and you have turned on the [block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#configure-policy-block-behavior) for the policy, the query will return `162.159.36.12` (the IP address of the Gateway block page). If the block page is disabled, the response will be `0.0.0.0`.
diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment.mdx index 58628965dc645a6..c16bcbaeffc4424 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment.mdx @@ -29,7 +29,7 @@ import { Details, Render } from "~/components"; The [WARP client](/cloudflare-one/team-and-resources/devices/warp/) can automatically install a Cloudflare certificate or [custom root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate/) on Windows, macOS, and Debian/Ubuntu Linux devices. On mobile devices and Red Hat-based systems, you will need to [install the certificate manually](/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/). -The certificate is required if you want to [apply HTTP policies to encrypted websites](/cloudflare-one/traffic-policies/http-policies/tls-decryption/), display custom [block pages](/cloudflare-one/traffic-policies/block-page/), and more. +The certificate is required if you want to [apply HTTP policies to encrypted websites](/cloudflare-one/traffic-policies/http-policies/tls-decryption/), display custom [block pages](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/), and more. ## Install a certificate using WARP diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate.mdx index 8baa0be47e604ea..dff6abdbbf38b49 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate.mdx @@ -14,7 +14,7 @@ import { Render, Tabs, TabItem, APIRequest } from "~/components"; Only available on Enterprise plans. ::: -Enterprise customers who do not wish to install a [Cloudflare certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/) have the option to upload their own root certificate to Cloudflare. This feature is sometimes referred to as Bring Your Own Public Key Infrastructure (BYOPKI). Gateway will use your uploaded certificate to encrypt all sessions between the end user and Gateway, enabling all HTTPS inspection features that previously required a Cloudflare certificate. You can upload multiple certificates to your account, but only one can be active at any given time. You also need to upload a private key to intercept domains with JIT certificates and to enable the [block page](/cloudflare-one/traffic-policies/block-page/). +Enterprise customers who do not wish to install a [Cloudflare certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/) have the option to upload their own root certificate to Cloudflare. This feature is sometimes referred to as Bring Your Own Public Key Infrastructure (BYOPKI). Gateway will use your uploaded certificate to encrypt all sessions between the end user and Gateway, enabling all HTTPS inspection features that previously required a Cloudflare certificate. You can upload multiple certificates to your account, but only one can be active at any given time. You also need to upload a private key to intercept domains with JIT certificates and to enable the [block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/). You can upload up to five custom root certificates. If your organization requires more than five certificates, contact your account team. diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels.mdx index 3e6f91d9a6aafce..dc11aae1804fa4b 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels.mdx @@ -49,7 +49,7 @@ If you are using Split Tunnels in Include mode, you must include the following d #### Block page -If you are using Split Tunnels in Include mode and have [DNS policies](/cloudflare-one/traffic-policies/dns-policies/) with the [block page](/cloudflare-one/traffic-policies/block-page/) enabled, you must include the IPs that blocked domains will resolve to. Unless you are using a [dedicated or BYOIP resolver IP](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/dns-resolver-ips/#dns-resolver-ip) the block page will resolve to: +If you are using Split Tunnels in Include mode and have [DNS policies](/cloudflare-one/traffic-policies/dns-policies/) with the [block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) enabled, you must include the IPs that blocked domains will resolve to. Unless you are using a [dedicated or BYOIP resolver IP](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/dns-resolver-ips/#dns-resolver-ip) the block page will resolve to: - `162.159.36.12` - `162.159.46.12` diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/device-enrollment.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/device-enrollment.mdx index 1c136286b7d4f66..468fe8ebf36403a 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/device-enrollment.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/device-enrollment.mdx @@ -29,7 +29,7 @@ You can verify which devices have enrolled by going to **My Team** > **Devices** ### Check for mTLS certificate -Enterprise customers can enforce [mutual TLS authentication](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/) during device enrollment. +Enterprise customers can enforce [mutual TLS authentication](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/) during device enrollment. diff --git a/src/content/docs/cloudflare-one/traffic-policies/dns-policies/index.mdx b/src/content/docs/cloudflare-one/traffic-policies/dns-policies/index.mdx index fd08902c6afd163..81970e110aa0bfd 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/dns-policies/index.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/dns-policies/index.mdx @@ -141,7 +141,7 @@ Policies with Block actions block DNS queries to reach destinations you specify #### Custom block page -When choosing the Block action, turn on **Modify Gateway block behavior** to respond to queries with a block page to display to users who go to blocked websites. Optionally, you can override your global block page setting with a URL redirect for the specific DNS policy. For more information, refer to [Block page](/cloudflare-one/traffic-policies/block-page/). +When choosing the Block action, turn on **Modify Gateway block behavior** to respond to queries with a block page to display to users who go to blocked websites. Optionally, you can override your global block page setting with a URL redirect for the specific DNS policy. For more information, refer to [Block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/). If the block page is turned off for a policy, Gateway will respond to queries blocked at the DNS level with an `A` record of `0.0.0.0` for IPv4 destinations, or with an `AAAA` record of `::` for IPv6 destinations. The browser will display its default connection error page. diff --git a/src/content/docs/cloudflare-one/traffic-policies/dns-policies/test-dns-filtering.mdx b/src/content/docs/cloudflare-one/traffic-policies/dns-policies/test-dns-filtering.mdx index b62ffb8481dd6c0..bfe160cfdd81fd2 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/dns-policies/test-dns-filtering.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/dns-policies/test-dns-filtering.mdx @@ -23,7 +23,7 @@ For example, if you created a policy to block `example.com`, you can do the foll 2. Type `dig example.com` (`nslookup example.com` if you are using Windows) and press **Enter**. -3. If the [block page](/cloudflare-one/traffic-policies/block-page/) is turned off for the policy, you should see `REFUSED` in the answer section: +3. If the [block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) is turned off for the policy, you should see `REFUSED` in the answer section: ```sh dig example.com @@ -46,7 +46,7 @@ For example, if you created a policy to block `example.com`, you can do the foll ;; MSG SIZE rcvd: 29 ``` - If the [block page](/cloudflare-one/traffic-policies/block-page/) is enabled for the policy, you should see `NOERROR` in the answer section with `162.159.36.12` and `162.159.46.12` as the answers: + If the [block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) is enabled for the policy, you should see `NOERROR` in the answer section with `162.159.36.12` and `162.159.46.12` as the answers: ```sh null dig example.com diff --git a/src/content/docs/cloudflare-one/traffic-policies/http-policies/index.mdx b/src/content/docs/cloudflare-one/traffic-policies/http-policies/index.mdx index 74c36d5d291d5ec..f53271d9c3af8a2 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/http-policies/index.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/http-policies/index.mdx @@ -56,7 +56,7 @@ The **Untrusted certificate action** determines how to handle insecure requests. | Option | Action | | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Error | Display Gateway error page. Matches the default behavior when no action is configured. | -| Block | Display [block page](/cloudflare-one/traffic-policies/block-page/) as set in Zero Trust. | +| Block | Display [block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) as set in Zero Trust. | | Pass through | Bypass insecure connection warnings and seamlessly connect to the upstream. For more information on what statuses are bypassed, refer to the [troubleshooting FAQ](/cloudflare-one/faq/troubleshooting/#i-see-error-526-when-browsing-to-a-website). | ### Block @@ -130,7 +130,7 @@ API value: `redirect` The Redirect action allows you to redirect matched HTTP requests to a different URL you specify. For example, if your users browse to the public web page of a SaaS app, you can redirect them to your own self-hosted instance, a single sign-on page, or an internal policy page. -To redirect URLs with a Block action and the block page, refer to [Redirect to a block page](/cloudflare-one/traffic-policies/block-page/#redirect-to-a-block-page). +To redirect URLs with a Block action and the block page, refer to [Redirect to a block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page). #### Policy settings diff --git a/src/content/docs/cloudflare-one/traffic-policies/initial-setup/dns.mdx b/src/content/docs/cloudflare-one/traffic-policies/initial-setup/dns.mdx index 68a829c3cd51a28..dfed0180c7ff166 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/initial-setup/dns.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/initial-setup/dns.mdx @@ -33,7 +33,7 @@ To filter DNS requests from an individual device such as a laptop or phone: 1. [Install the WARP client](/cloudflare-one/team-and-resources/devices/warp/deployment/) on your device. 2. In the WARP client Settings, log in to your organization's Zero Trust instance. -3. (Optional) If you want to display a [custom block page](/cloudflare-one/traffic-policies/block-page/), [install a Cloudflare root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) on your device. +3. (Optional) If you want to display a [custom block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/), [install a Cloudflare root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) on your device. ### Connect DNS locations diff --git a/src/content/docs/cloudflare-one/traffic-policies/initial-setup/network.mdx b/src/content/docs/cloudflare-one/traffic-policies/initial-setup/network.mdx index b610c926aaf090c..5af81f5d100cce4 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/initial-setup/network.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/initial-setup/network.mdx @@ -24,7 +24,7 @@ To filter network traffic from a device such as a laptop or phone: 1. [Install the WARP client](/cloudflare-one/team-and-resources/devices/warp/deployment/) on your device. 2. In the WARP client Settings, log in to your organization's Cloudflare One instance. -3. (Optional) If you want to display a [custom block page](/cloudflare-one/traffic-policies/block-page/), [install the Cloudflare root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) on your device . +3. (Optional) If you want to display a [custom block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/), [install the Cloudflare root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) on your device . 4. [Enable the Gateway proxy](/cloudflare-one/traffic-policies/proxy/#turn-on-the-gateway-proxy) for TCP. Optionally, you can enable the UDP proxy to inspect all port 443 UDP traffic. ### Connect private networks diff --git a/src/content/docs/cloudflare-one/traffic-policies/managed-service-providers.mdx b/src/content/docs/cloudflare-one/traffic-policies/managed-service-providers.mdx index 9c139e3d78d06fc..0f7132cbe6f3245 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/managed-service-providers.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/managed-service-providers.mdx @@ -27,7 +27,7 @@ The Gateway Tenant platform supports tiered and siloed account configurations. In a tiered account configuration, a top-level parent account enforces global security policies that apply to all of its child accounts. Child accounts can override or add policies as needed while still being managed by the parent account. MSPs can also configure child accounts independently from the parent account, including: -- Configuring a [custom block page](/cloudflare-one/traffic-policies/block-page/) +- Configuring a [custom block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) - Generating or uploading [root certificates](/cloudflare-one/team-and-resources/devices/user-side-certificates/) - Mapping [DNS locations](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/) - Creating [lists](/cloudflare-one/reusable-components/lists/) diff --git a/src/content/docs/cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx b/src/content/docs/cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx index 92b9af68eea61e4..e3f995b0003c89a 100644 --- a/src/content/docs/cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx +++ b/src/content/docs/cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx @@ -433,7 +433,7 @@ You can now block access to all unauthorized public AI agents with a Gateway [HT This ensures that public AI agents are not accessible using a managed endpoint. -Alternatively, you can prevent users from using public AI agents by displaying a [custom block message](/cloudflare-one/traffic-policies/block-page/#customize-the-block-page), [redirect](/cloudflare-one/traffic-policies/block-page/#redirect-to-a-block-page), or a [user notification](/cloudflare-one/traffic-policies/http-policies/#warp-client-block-notifications) directing users to the AI agent wrapper. +Alternatively, you can prevent users from using public AI agents by displaying a [custom block message](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#customize-the-block-page), [redirect](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page), or a [user notification](/cloudflare-one/traffic-policies/http-policies/#warp-client-block-notifications) directing users to the AI agent wrapper. ## 6. Enforce Data Loss Prevention and Clientless Browser Isolation diff --git a/src/content/docs/learning-paths/holistic-ai-security/build-security-policies/set-policy-approval.mdx b/src/content/docs/learning-paths/holistic-ai-security/build-security-policies/set-policy-approval.mdx index 5595d8b1bb78ab4..1171209e7e8d50f 100644 --- a/src/content/docs/learning-paths/holistic-ai-security/build-security-policies/set-policy-approval.mdx +++ b/src/content/docs/learning-paths/holistic-ai-security/build-security-policies/set-policy-approval.mdx @@ -53,7 +53,7 @@ Cloudflare Workers are an easy method to stand up custom user coaching pages. Th 2. Enter the URL to the approved application you want to redirect the user to use instead. 7. Select **Create policy**. -For more information, refer to [Configure policy block behavior](/cloudflare-one/traffic-policies/block-page/#configure-policy-block-behavior). +For more information, refer to [Configure policy block behavior](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#configure-policy-block-behavior). ## Capture prompts to prevent data loss diff --git a/src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx b/src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx index 821633d0696edda..0215e34c87b6920 100644 --- a/src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx +++ b/src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx @@ -20,5 +20,5 @@ There are two main ways to use mTLS at Cloudflare, either by using the Applicati | Mainly used for | External Authentication (that is, APIs) | Internal Authentication (that is, employees) | | Availability | By default, 100 Client Certificates per Zone are included for free. For more certificates or [API Shield features](/api-shield/), contact your account team. | Zero Trust Enterprise only feature. | | [Certificate Authority (CA)](/ssl/concepts/#certificate-authority-ca) | Cloudflare-managed or customer-uploaded (BYO CA). There's a soft-limit of up to [five customer-uploaded CAs](/ssl/client-certificates/byo-ca/#availability). | Customer-uploaded only (BYO CA). There's a soft-limit of up to [50 CAs](/cloudflare-one/account-limits/#access). | -| Client Certificate Details | Forwarded to the origin server via [Cloudflare API](/ssl/client-certificates/forward-a-client-certificate/#cloudflare-api), [Cloudflare Workers](/ssl/client-certificates/forward-a-client-certificate/#cloudflare-workers), and [Managed Transforms](/ssl/client-certificates/forward-a-client-certificate/#managed-transforms). | Forwarded to the origin server via [Cloudflare API](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/#cloudflare-api), [Cloudflare Workers](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/#cloudflare-workers), and [Managed Transforms](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/#managed-transforms). Client Certificate headers and [Cf-Access-Jwt-Assertion](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/) JWT header can be forwarded to the origin server. | -| Client Certificates Revocation | Use the WAF [Custom Rules](/waf/custom-rules/) to check for [_cf.tls_client_auth.cert_revoked_](/ssl/client-certificates/revoke-client-certificate/), which only applies to Cloudflare-managed CA.

For BYO CAs, it would be the same approach as with Cloudflare Access. | Generate a [Certificate Revocation List (CRL)](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/#create-a-crl) and enforce the revocation in a Cloudflare Worker. | +| Client Certificate Details | Forwarded to the origin server via [Cloudflare API](/ssl/client-certificates/forward-a-client-certificate/#cloudflare-api), [Cloudflare Workers](/ssl/client-certificates/forward-a-client-certificate/#cloudflare-workers), and [Managed Transforms](/ssl/client-certificates/forward-a-client-certificate/#managed-transforms). | Forwarded to the origin server via [Cloudflare API](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/#cloudflare-api), [Cloudflare Workers](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/#cloudflare-workers), and [Managed Transforms](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/#managed-transforms). Client Certificate headers and [Cf-Access-Jwt-Assertion](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/) JWT header can be forwarded to the origin server. | +| Client Certificates Revocation | Use the WAF [Custom Rules](/waf/custom-rules/) to check for [_cf.tls_client_auth.cert_revoked_](/ssl/client-certificates/revoke-client-certificate/), which only applies to Cloudflare-managed CA.

For BYO CAs, it would be the same approach as with Cloudflare Access. | Generate a [Certificate Revocation List (CRL)](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/#create-a-crl) and enforce the revocation in a Cloudflare Worker. | diff --git a/src/content/docs/learning-paths/mtls/mtls-cloudflare-access/index.mdx b/src/content/docs/learning-paths/mtls/mtls-cloudflare-access/index.mdx index ace3c9981c52d66..5dd46b518c3faf2 100644 --- a/src/content/docs/learning-paths/mtls/mtls-cloudflare-access/index.mdx +++ b/src/content/docs/learning-paths/mtls/mtls-cloudflare-access/index.mdx @@ -9,7 +9,7 @@ sidebar: This requires an active Enterprise [Account](/fundamentals/concepts/accounts-and-zones/) with Cloudflare Access enabled. ::: -Setting up [mTLS](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/) with [Cloudflare Access](/cloudflare-one/access-controls/policies/) can help in cases where the customer: +Setting up [mTLS](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/) with [Cloudflare Access](/cloudflare-one/access-controls/policies/) can help in cases where the customer: - Already has existing Client Certificates on devices. - Needs to protect Access applications with [Bring Your Own CA (BYOCA)](/ssl/client-certificates/byo-ca/). @@ -19,7 +19,7 @@ Setting up [mTLS](/cloudflare-one/reusable-components/posture-checks/access-inte The CA certificate can be from a publicly trusted CA or self-signed. -In case you want to [create your own CA](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/#test-mtls-using-cloudflare-pki) from scratch, you can follow these example steps and adapt the information to your own needs: +In case you want to [create your own CA](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/#test-mtls-using-cloudflare-pki) from scratch, you can follow these example steps and adapt the information to your own needs: 1. Create a JSON file called `ca-csr.json`: @@ -64,7 +64,7 @@ In case you want to [create your own CA](/cloudflare-one/reusable-components/pos } ``` -3. Run the following [cfssl](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/#test-mtls-using-cloudflare-pki) command to generate the CA certificate `ca.pem`: +3. Run the following [cfssl](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/#test-mtls-using-cloudflare-pki) command to generate the CA certificate `ca.pem`: ```txt cfssl gencert -initca ca-csr.json | cfssljson -bare ca @@ -102,13 +102,13 @@ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=clie ## 3. Add mTLS CA certificate to Cloudflare Access -Follow the steps outlined in the [developer documentation](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/#add-mtls-authentication-to-your-access-configuration). +Follow the steps outlined in the [developer documentation](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/#add-mtls-authentication-to-your-access-configuration). -Using the example from Step 2: upload the `ca.pem` to your Cloudflare Access account via the [dashboard](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/#add-mtls-authentication-to-your-access-configuration) or [Cloudflare API](/api/resources/zero_trust/subresources/access/subresources/certificates/methods/create/). +Using the example from Step 2: upload the `ca.pem` to your Cloudflare Access account via the [dashboard](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/#add-mtls-authentication-to-your-access-configuration) or [Cloudflare API](/api/resources/zero_trust/subresources/access/subresources/certificates/methods/create/). Do not forget to enter the fully-qualified domain names (FQDN / associated hostnames) that will use this CA certificate. -Customers can identify which client sends the Client Certificates by [forwarding client certificate headers](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/#forward-a-client-certificate) to the origin server. Customers can then store and use the certificate information such as Common Name (CN), Serial number, and other fields along with the device number to perform additional checks or logics. +Customers can identify which client sends the Client Certificates by [forwarding client certificate headers](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/#forward-a-client-certificate) to the origin server. Customers can then store and use the certificate information such as Common Name (CN), Serial number, and other fields along with the device number to perform additional checks or logics. Additionally, authenticated requests also send the `Cf-Access-Jwt-Assertion\` JWT header to the origin server. To decode the header value, you can use [jwt.io](https://jwt.io/). diff --git a/src/content/docs/learning-paths/replace-vpn/build-policies/block-page.mdx b/src/content/docs/learning-paths/replace-vpn/build-policies/block-page.mdx index 67fca6d9e7d7318..90fe0b45b0e7412 100644 --- a/src/content/docs/learning-paths/replace-vpn/build-policies/block-page.mdx +++ b/src/content/docs/learning-paths/replace-vpn/build-policies/block-page.mdx @@ -55,7 +55,7 @@ For DNS policies, you will need to enable the block page on a per-policy basis. 2. Choose a DNS policy with a Block action. -3. In the policy's [`rule_settings`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_gateway_policy), turn on `block_page_enabled`. If you have configured a [custom Gateway block page](/cloudflare-one/traffic-policies/block-page/#customize-the-block-page), you can optionally show an additional `block_reason` when traffic is blocked by this policy. +3. In the policy's [`rule_settings`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_gateway_policy), turn on `block_page_enabled`. If you have configured a [custom Gateway block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#customize-the-block-page), you can optionally show an additional `block_reason` when traffic is blocked by this policy. ```tf resource "cloudflare_zero_trust_gateway_policy" "dns_block_security_categories" { diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/test-policy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/test-policy.mdx index f2308b1f1e8393d..d8afa961d7c44c5 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/test-policy.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/test-policy.mdx @@ -21,7 +21,7 @@ It is common for a misconfigured Gateway policy to accidentally block traffic to :::note -[Custom block pages](/cloudflare-one/traffic-policies/block-page/) require you to install a root certificate on the device. +[Custom block pages](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) require you to install a root certificate on the device. ::: diff --git a/src/content/docs/reference-architecture/architectures/sase.mdx b/src/content/docs/reference-architecture/architectures/sase.mdx index b9d1a1c371aa7b2..0e6c16edf9cdaf7 100644 --- a/src/content/docs/reference-architecture/architectures/sase.mdx +++ b/src/content/docs/reference-architecture/architectures/sase.mdx @@ -499,7 +499,7 @@ The following built-in posture checks are available: - [Unique Client ID](/cloudflare-one/reusable-components/posture-checks/warp-client-checks/device-uuid/): When using an MDM too, organizations can assign a verifiable UUID to a mobile, desktop, or laptop device - [Device serial number](/cloudflare-one/reusable-components/posture-checks/warp-client-checks/corp-device/): Checks to see if the device serial matches a list of company desktop/laptop computers -Cloudflare One can also integrate with any deployed endpoint security solution, such as [Microsoft Endpoint Manager](/cloudflare-one/integrations/service-providers/microsoft/), [Tanium](/cloudflare-one/reusable-components/posture-checks/access-integrations/tanium/), [Carbon Black](/cloudflare-one/reusable-components/posture-checks/warp-client-checks/carbon-black/), [CrowdStrike](/cloudflare-one/integrations/service-providers/crowdstrike/), [SentinelOne](/cloudflare-one/reusable-components/posture-checks/warp-client-checks/sentinel-one/), and more. Any data from those products can be passed to Cloudflare for use in access decisions. +Cloudflare One can also integrate with any deployed endpoint security solution, such as [Microsoft Endpoint Manager](/cloudflare-one/integrations/service-providers/microsoft/), [Tanium](/cloudflare-one/integrations/service-providers/taniums2s/), [Carbon Black](/cloudflare-one/reusable-components/posture-checks/warp-client-checks/carbon-black/), [CrowdStrike](/cloudflare-one/integrations/service-providers/crowdstrike/), [SentinelOne](/cloudflare-one/integrations/service-providers/sentinelone/), and more. Any data from those products can be passed to Cloudflare for use in access decisions. All of the above device information, combined with data on the user identity and also the network the device is on, is available in Cloudflare to be used as part of the company policy. For example, organizations could choose to only allow administrators to SSH into servers when all of the following conditions are met: their device is free from threats, running the latest operating system, and joined to the company domain. diff --git a/src/content/docs/reference-architecture/diagrams/sase/gateway-dns-for-isp.mdx b/src/content/docs/reference-architecture/diagrams/sase/gateway-dns-for-isp.mdx index 5ea337268b54298..4e9d0c83f0fcb19 100644 --- a/src/content/docs/reference-architecture/diagrams/sase/gateway-dns-for-isp.mdx +++ b/src/content/docs/reference-architecture/diagrams/sase/gateway-dns-for-isp.mdx @@ -34,7 +34,7 @@ To distinguish queries originating from the service provider from those coming f If stable and defined source IPv4 addresses cannot be assigned to the on-premises DNS servers, service providers can instead use unique destination location endpoints. Each location is assigned a distinct [DoT](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/dns-resolver-ips/#dns-over-tls-dot) and [DoH](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/dns-resolver-ips/#dns-over-https-doh) hostname, as well as a unique [destination IPv6 address](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/dns-resolver-ips/#ipv4ipv6-address). Additionally, Cloudflare can provide unique [destination IPv4 addresses upon request](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/dns-resolver-ips/#dns-resolver-ip). ::: -DNS filtering is then enforced through DNS policies set up by the service provider to detect domains linked to [security risks](/cloudflare-one/traffic-policies/domain-categories/#security-categories). Cloudflare continuously updates the list of risky domains using [its extensive threat intelligence](https://www.cloudflare.com/en-gb/security/). When a DNS query matches a flagged domain, the corresponding action specified in the DNS policy is executed. This action can be a '[Block](/cloudflare-one/traffic-policies/dns-policies/#block),' where Gateway responds with `0.0.0.0` for IPv4 queries or `::` for IPv6 queries, or displays a [custom block page hosted by Cloudflare](/cloudflare-one/traffic-policies/block-page/). Alternatively, an `[Override](/cloudflare-one/traffic-policies/dns-policies/#override)` action or [block page URL redirect](/cloudflare-one/traffic-policies/block-page/#redirect-to-a-block-page) can redirect the DNS query to a block page hosted by the service provider. +DNS filtering is then enforced through DNS policies set up by the service provider to detect domains linked to [security risks](/cloudflare-one/traffic-policies/domain-categories/#security-categories). Cloudflare continuously updates the list of risky domains using [its extensive threat intelligence](https://www.cloudflare.com/en-gb/security/). When a DNS query matches a flagged domain, the corresponding action specified in the DNS policy is executed. This action can be a '[Block](/cloudflare-one/traffic-policies/dns-policies/#block),' where Gateway responds with `0.0.0.0` for IPv4 queries or `::` for IPv6 queries, or displays a [custom block page hosted by Cloudflare](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/). Alternatively, an `[Override](/cloudflare-one/traffic-policies/dns-policies/#override)` action or [block page URL redirect](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page) can redirect the DNS query to a block page hosted by the service provider. ![Figure 2: A DNS policy to prevent users from navigating to malicious domains. The action is to override and redirect the DNS query to a block page hosted by the service provider.](~/assets/images/reference-architecture/gateway-dns-for-isp/gateway-dns-for-isp-image-02.svg) diff --git a/src/content/docs/reference-architecture/diagrams/sase/gateway-for-protective-dns.mdx b/src/content/docs/reference-architecture/diagrams/sase/gateway-for-protective-dns.mdx index a1c6f192e6e9d12..3bdda7735ea827d 100644 --- a/src/content/docs/reference-architecture/diagrams/sase/gateway-for-protective-dns.mdx +++ b/src/content/docs/reference-architecture/diagrams/sase/gateway-for-protective-dns.mdx @@ -30,7 +30,7 @@ IT administrators forward public DNS requests to Cloudflare where they are filte To distinguish queries originating from the government departments and agencies they are responsible for, admins configure a location in the Cloudflare dashboard. When a DNS location is created, Gateway assigns IPv4/IPv6 addresses and DNS over TLS/HTTPS (DoT/DoH) hostnames for that location. These IP addresses and hostnames are then used by the admins to send DNS queries for resolution. In turn, the administrator configures the location object with the public IP addresses of their on-premises DNS servers, allowing Cloudflare to accurately associate queries with the corresponding location. -DNS filtering is then enforced through policies set up by the administrator to detect domains linked to [security risks](/cloudflare-one/traffic-policies/domain-categories/#security-categories). Cloudflare continuously updates the list of high risk domains using [its extensive threat intelligence](https://www.cloudflare.com/security/). When a DNS query matches a flagged domain, the corresponding action specified in the DNS policy is executed. This action can be a '[Block](/cloudflare-one/traffic-policies/dns-policies/#block),' where Gateway responds with `0.0.0.0` for IPv4 queries or `::` for IPv6 queries, or displays a [custom block page hosted by Cloudflare](/cloudflare-one/traffic-policies/block-page/). Alternatively, an [Override](/cloudflare-one/traffic-policies/dns-policies/#override) action or [block page URL redirect](/cloudflare-one/traffic-policies/block-page/#redirect-to-a-block-page) can redirect the DNS query to a block page hosted by the government agency. +DNS filtering is then enforced through policies set up by the administrator to detect domains linked to [security risks](/cloudflare-one/traffic-policies/domain-categories/#security-categories). Cloudflare continuously updates the list of high risk domains using [its extensive threat intelligence](https://www.cloudflare.com/security/). When a DNS query matches a flagged domain, the corresponding action specified in the DNS policy is executed. This action can be a '[Block](/cloudflare-one/traffic-policies/dns-policies/#block),' where Gateway responds with `0.0.0.0` for IPv4 queries or `::` for IPv6 queries, or displays a [custom block page hosted by Cloudflare](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/). Alternatively, an [Override](/cloudflare-one/traffic-policies/dns-policies/#override) action or [block page URL redirect](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page) can redirect the DNS query to a block page hosted by the government agency. Cloudflare's own threat intelligence can be seamlessly integrated with threat intelligence data provided by the agency or third-party sources. In this setup, the agency or the third-party entity acts as a [threat feed provider](/security-center/indicator-feeds/) to Cloudflare. This enables IT admins to create DNS policies that combine Cloudflare's security risk categories with the data sourced by the agency, for a unified and enhanced security posture (see diagram below). Additionally, [publicly available custom indicator feeds](/security-center/indicator-feeds/#publicly-available-feeds) can be accessed by eligible public and private sector organizations without the need to establish a provider relationship, further expanding security capabilities. diff --git a/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx b/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx index 918fcc40a222067..87722850992ba1f 100644 --- a/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx +++ b/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx @@ -62,7 +62,7 @@ The following diagram shows a common flow for how Cloudflare inspects a request 1. User attempts to upload a file to a SaaS application (via a secure tunnel to Cloudflare created by our [device agent](/cloudflare-one/team-and-resources/devices/warp/download-warp/)). [Clientless](/cloudflare-one/team-and-resources/devices/agentless/) options are supported as well. 2. Cloudflare's [Secure Web Gateway](/cloudflare-one/traffic-policies/) (SWG) will first verify that the user is permitted to use the requested SaaS application, and then scrutinize the file's payload for [malicious code](/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/) and [sensitive data](/cloudflare-one/data-loss-prevention/). 3. The DLP profile determines the file contains national identifiers like US Social Security Numbers (SSN). -4. The Gateway policy is configured with a [Block action](/cloudflare-one/traffic-policies/http-policies/#block), so the attempt is [logged](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules) and a [block page](/cloudflare-one/traffic-policies/block-page/) returned to the end user's web browser. +4. The Gateway policy is configured with a [Block action](/cloudflare-one/traffic-policies/http-policies/#block), so the attempt is [logged](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules) and a [block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) returned to the end user's web browser. ## Related resources diff --git a/src/content/docs/ssl/client-certificates/byo-ca.mdx b/src/content/docs/ssl/client-certificates/byo-ca.mdx index d0d129c3a39e2ec..cd46efc3ec1d305 100644 --- a/src/content/docs/ssl/client-certificates/byo-ca.mdx +++ b/src/content/docs/ssl/client-certificates/byo-ca.mdx @@ -19,7 +19,7 @@ Bring your own CA (BYOCA) is especially useful if you already have mTLS implemen - Currently, you can only manage your uploaded CA via API, and the hostname associations are **not** reflected on the [dashboard](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/client-certificates/). - This process is only available on Enterprise accounts. -- Each Enterprise account can upload up to five CAs. This quota does not apply to CAs uploaded through [Cloudflare Access](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/). +- Each Enterprise account can upload up to five CAs. This quota does not apply to CAs uploaded through [Cloudflare Access](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/). ## CA certificate requirements diff --git a/src/content/docs/ssl/client-certificates/configure-your-mobile-app-or-iot-device.mdx b/src/content/docs/ssl/client-certificates/configure-your-mobile-app-or-iot-device.mdx index bedbbe625bb031b..b44e9db6ff89b4b 100644 --- a/src/content/docs/ssl/client-certificates/configure-your-mobile-app-or-iot-device.mdx +++ b/src/content/docs/ssl/client-certificates/configure-your-mobile-app-or-iot-device.mdx @@ -15,7 +15,7 @@ This walkthrough uses the example of a device that captures temperature readings To keep this example simple, the API is implemented as a Cloudflare Worker (borrowing code from the [To-Do List tutorial on building a jamstack app](/workers/tutorials/build-a-jamstack-app/)). -Temperatures are stored in [Workers KV](/kv/concepts/how-kv-works/) using the source IP address as a key, but you can easily use a [value from the client certificate](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/), such as the fingerprint. +Temperatures are stored in [Workers KV](/kv/concepts/how-kv-works/) using the source IP address as a key, but you can easily use a [value from the client certificate](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/), such as the fingerprint. The example API code below saves a temperature and timestamp into KV when a POST is made and returns the most recent five temperatures when a GET request is made. diff --git a/src/content/docs/ssl/client-certificates/index.mdx b/src/content/docs/ssl/client-certificates/index.mdx index cc7ba53e144e697..f640a97241c2c77 100644 --- a/src/content/docs/ssl/client-certificates/index.mdx +++ b/src/content/docs/ssl/client-certificates/index.mdx @@ -38,7 +38,7 @@ The account-level CAs can be: As explained in the [mTLS learning path](/learning-paths/mtls/concepts/), there are different use cases and implementation options for mTLS. Consider the following links for specific guidance. - [Application security](/learning-paths/mtls/mtls-app-security/) -- [mTLS for Zero Trust](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/) (Cloudflare Access integration) +- [mTLS for Zero Trust](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/) (Cloudflare Access integration) - [mTLS with API Shield](/api-shield/security/mtls/configure/) - [mTLS Workers binding](/workers/runtime-apis/bindings/mtls/) diff --git a/src/content/docs/ssl/client-certificates/zero-trust-mtls.mdx b/src/content/docs/ssl/client-certificates/zero-trust-mtls.mdx index 60fedb951f69188..a3b428c4af9b24d 100644 --- a/src/content/docs/ssl/client-certificates/zero-trust-mtls.mdx +++ b/src/content/docs/ssl/client-certificates/zero-trust-mtls.mdx @@ -1,7 +1,7 @@ --- pcx_content_type: navigation title: mTLS for Zero Trust -external_link: /cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/ +external_link: /cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/ sidebar: order: 14 diff --git a/src/content/docs/ssl/troubleshooting/faq.mdx b/src/content/docs/ssl/troubleshooting/faq.mdx index 646ac1f209aeb68..aad9954de13240c 100644 --- a/src/content/docs/ssl/troubleshooting/faq.mdx +++ b/src/content/docs/ssl/troubleshooting/faq.mdx @@ -121,7 +121,7 @@ If you are encountering issues with PayPal IPN when the traffic is proxied by Cl ## Does Cloudflare support TLS client authentication? -Yes. For more details, refer to our documentation on [Mutual TLS authentication](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/). +Yes. For more details, refer to our documentation on [Mutual TLS authentication](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/). *** diff --git a/src/content/docs/support/third-party-software/content-management-system-cms/improving-web-security-for-content-management-systems-like-wordpress.mdx b/src/content/docs/support/third-party-software/content-management-system-cms/improving-web-security-for-content-management-systems-like-wordpress.mdx index b377f403b06da08..d646ab5cb97d78a 100644 --- a/src/content/docs/support/third-party-software/content-management-system-cms/improving-web-security-for-content-management-systems-like-wordpress.mdx +++ b/src/content/docs/support/third-party-software/content-management-system-cms/improving-web-security-for-content-management-systems-like-wordpress.mdx @@ -96,7 +96,7 @@ While designed for authenticating appliances that cannot perform a login, you ca Do the following: 1. [Create a client certificate](/ssl/client-certificates/create-a-client-certificate/) and save both the certificate and key to your device. -2. Import the certificate to your computer’s key storage. With macOS Keychain, you can use the steps listed in [Test in the browser](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/#test-in-the-browser). +2. Import the certificate to your computer’s key storage. With macOS Keychain, you can use the steps listed in [Test in the browser](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/#test-in-the-browser). 3. [Enable mTLS](/ssl/client-certificates/enable-mtls/) by adding the correct host. 4. In **SSL/TLS** > **Client Certificates**, select **Create mTLS Rule**. 5. Under **When incoming requests match**, enter a value for thr **URI Path** field to narrow the rule scope to the admin section, otherwise you will block your visitors from accessing the public content. diff --git a/src/content/notifications/index.yaml b/src/content/notifications/index.yaml index bd8dfa898d3626a..4702b9335464557 100644 --- a/src/content/notifications/index.yaml +++ b/src/content/notifications/index.yaml @@ -342,9 +342,9 @@ entries: - name: Access mTLS Certificate Expiration Alert audience: "[Access](/cloudflare-one/access-controls/policies/) customers that use client certificates for mutual TLS authentication. This notification will be sent 30 and 14 days before the expiration of the certificate." - availability: Purchase of [Access](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/) and/or [Cloudflare for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls/). + availability: Purchase of [Access](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/) and/or [Cloudflare for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls/). associatedProducts: SSL/TLS - nextSteps: Upload a [renewed certificate](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/#add-mtls-authentication-to-your-access-configuration). + nextSteps: Upload a [renewed certificate](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/#add-mtls-authentication-to-your-access-configuration). otherFilters: None. - name: Advanced Certificate Alert diff --git a/src/content/partials/cloudflare-one/access/app-launcher.mdx b/src/content/partials/cloudflare-one/access/app-launcher.mdx index c0a6b8483b9e553..84940f7989af997 100644 --- a/src/content/partials/cloudflare-one/access/app-launcher.mdx +++ b/src/content/partials/cloudflare-one/access/app-launcher.mdx @@ -58,38 +58,4 @@ To show an Access application in the App Launcher: ## Customize App Launcher appearance -:::note - -Only available on Pay-as-you-go and Enterprise plans. -::: - -You can display your own branding, messages, and links to users when they open the App Launcher. - -To customize the App Launcher appearance: - -1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Reusable components** > **Custom Pages**. -2. Find the **Customize App Launcher** setting and select **Customize**. -3. Give the App Launcher the look and feel of your organization by adding: - - Your organization's name - - A logo - - A preferred background color for the header - - A preferred background color for the page - - A custom footer with links to your organization's help desk or other internal resources. - -:::note - -We recommend lighter background colors because the font defaults to black. -::: - -4. Next, customize the landing page that users will see when they login to the App Launcher. Available properties include: - - A custom title - - A custom subtitle - - An image - - A preferred color for the **Log in** button - - A preferred color for the **Log in** button text - - All of the properties configured in Step 3 will also apply to the landing page. - -5. Once you are satisfied with your customization, select **Save**. - -The App Launcher screens are now updated. To view your changes, select **Preview**. +To customize the App Launcher with your own branding, messages, and links, refer to the [Custom pages documentation](/cloudflare-one/reusable-components/custom-pages/app-launcher-customization/). \ No newline at end of file diff --git a/src/content/partials/cloudflare-one/access/block-page.mdx b/src/content/partials/cloudflare-one/access/block-page.mdx index 37e34e6b53e20d1..248ac753b4aa950 100644 --- a/src/content/partials/cloudflare-one/access/block-page.mdx +++ b/src/content/partials/cloudflare-one/access/block-page.mdx @@ -5,7 +5,7 @@ You can customize the block page that displays when users fail to authenticate to an Access application. Each application can have a different block page. :::note[Gateway block page] -To customize the page that users see when they are blocked by a Gateway firewall policy, refer to [Gateway block page](/cloudflare-one/traffic-policies/block-page/). +To customize the page that users see when they are blocked by a Gateway firewall policy, refer to [Gateway block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/). ::: ## Types of block pages diff --git a/src/content/partials/cloudflare-one/gateway/add-block-page.mdx b/src/content/partials/cloudflare-one/gateway/add-block-page.mdx index ab243e83db993f6..c46e948134e5405 100644 --- a/src/content/partials/cloudflare-one/gateway/add-block-page.mdx +++ b/src/content/partials/cloudflare-one/gateway/add-block-page.mdx @@ -10,7 +10,7 @@ import { Markdown } from "~/components"; 2. Select **Add a policy** to create a new policy, or choose the policy you want to customize and select **Edit**. You can only edit the block page for policies with a Block action. 3. Under **Configure policy settings**, {props.blockBehaviorAction} **Modify Gateway block behavior**. 4. Choose your block behavior: - - **Use account-level block setting**: Use the global block page setting configured in your account settings. The global setting can be the default Gateway block page, an [HTTP redirect](/cloudflare-one/traffic-policies/block-page/#redirect-to-a-block-page), or a [custom Gateway block page](/cloudflare-one/traffic-policies/block-page/#customize-the-block-page). + - **Use account-level block setting**: Use the global block page setting configured in your account settings. The global setting can be the default Gateway block page, an [HTTP redirect](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page), or a [custom Gateway block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#customize-the-block-page). - **Override account setting with URL redirect**: Redirect users with a `307` HTTP redirect to a URL you specify on a policy level. 5. (Optional) If your account-level block page setting uses a custom Gateway block page, you can turn on **Add an additional message to your custom block page when traffic matches this policy** to add a custom message to your custom block page when traffic is blocked by this policy. This option will replace the **Message** field. 6. Select **Save policy**. diff --git a/src/content/partials/cloudflare-one/gateway/client-notifications.mdx b/src/content/partials/cloudflare-one/gateway/client-notifications.mdx index 7762ac203527991..b6eea9cb98243be 100644 --- a/src/content/partials/cloudflare-one/gateway/client-notifications.mdx +++ b/src/content/partials/cloudflare-one/gateway/client-notifications.mdx @@ -24,7 +24,7 @@ import { Details, Render, Markdown } from "~/components"; Turn on to display notifications for Gateway block events. Blocked users will receive an operating system notification from the WARP client with a custom message you set. If you do not set a custom message, the WARP client will display a default message. Custom messages must be 100 characters or less. WARP will only display one notification per minute. -Upon selecting the notification, WARP will direct your users to the [Gateway block page](/cloudflare-one/traffic-policies/block-page/) you have configured. Optionally, you can direct users to a custom URL, such as an internal support form. +Upon selecting the notification, WARP will direct your users to the [Gateway block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) you have configured. Optionally, you can direct users to a custom URL, such as an internal support form. diff --git a/src/content/partials/cloudflare-one/gateway/customize-block-page.mdx b/src/content/partials/cloudflare-one/gateway/customize-block-page.mdx index 1473b5896b40bcc..04b6f18e9231fdf 100644 --- a/src/content/partials/cloudflare-one/gateway/customize-block-page.mdx +++ b/src/content/partials/cloudflare-one/gateway/customize-block-page.mdx @@ -14,10 +14,10 @@ To customize your block page: 2. Under **Account Gateway block page**, select **Customize**. 3. Choose **Custom Gateway block page**. Gateway will display a preview of your custom block page. Available customizations include: - Your organization's name - - [Logo](/cloudflare-one/traffic-policies/block-page/#add-a-logo-image) + - [Logo](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#add-a-logo-image) - Header text - Global block message, which will be displayed above the policy-specific block message - - [Mailto link](/cloudflare-one/traffic-policies/block-page/#allow-users-to-email-an-administrator) + - [Mailto link](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#allow-users-to-email-an-administrator) - Background color 4. Select **Save**. diff --git a/src/content/partials/cloudflare-one/warp/device-enrollment-mtls.mdx b/src/content/partials/cloudflare-one/warp/device-enrollment-mtls.mdx index 2143a906756220d..4a4807cca9af60b 100644 --- a/src/content/partials/cloudflare-one/warp/device-enrollment-mtls.mdx +++ b/src/content/partials/cloudflare-one/warp/device-enrollment-mtls.mdx @@ -23,7 +23,7 @@ To check for an mTLS certificate: | ------ | --------- | ----------- | -------------------- | | Allow | Require | Common Name | `` | -7. On your device, add the client certificate to the [system keychain](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/#test-in-the-browser). +7. On your device, add the client certificate to the [system keychain](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/#test-in-the-browser). @@ -79,6 +79,6 @@ To check for an mTLS certificate: 4. Add the policy to your [`cloudflared_zero_trust_access_application` for WARP](/cloudflare-one/team-and-resources/devices/warp/deployment/device-enrollment/#set-device-enrollment-permissions). -5. On your device, add the client certificate to the [system keychain](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/#test-in-the-browser). +5. On your device, add the client certificate to the [system keychain](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/#test-in-the-browser). \ No newline at end of file diff --git a/src/content/partials/fundamentals/account-permissions-table.mdx b/src/content/partials/fundamentals/account-permissions-table.mdx index d8668245f32377a..7bc93229cbfd242 100644 --- a/src/content/partials/fundamentals/account-permissions-table.mdx +++ b/src/content/partials/fundamentals/account-permissions-table.mdx @@ -16,8 +16,8 @@ import { Markdown } from "~/components"; | Access: Custom Pages {props.editWord} | Grants write access to [Cloudflare Access custom block pages](/cloudflare-one/reusable-components/custom-pages/access-block-page/). | | Access: Device Posture Read | Grants read access to [Cloudflare Access device posture](/cloudflare-one/reusable-components/posture-checks/). | | Access: Device Posture {props.editWord} | Grants write access to [Cloudflare Access device posture](/cloudflare-one/reusable-components/posture-checks/). | -| Access: Mutual TLS Certificates Read | Grants read access to [Cloudflare Access mTLS certificates](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/). | -| Access: Mutual TLS Certificates {props.editWord} | Grants write access to [Cloudflare Access mTLS certificates](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/). | +| Access: Mutual TLS Certificates Read | Grants read access to [Cloudflare Access mTLS certificates](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/). | +| Access: Mutual TLS Certificates {props.editWord} | Grants write access to [Cloudflare Access mTLS certificates](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/). | | Access: Organizations, Identity Providers, and Groups Read | Grants read access to [Cloudflare Access account resources](/cloudflare-one/integrations/identity-providers/). | | Access: Organizations, Identity Providers, and Groups Revoke | Grants ability to revoke user sessions to [Cloudflare Access account resources](/cloudflare-one/integrations/identity-providers/). | | Access: Organizations, Identity Providers, and Groups {props.editWord} | Grants write access to [Cloudflare Access account resources](/cloudflare-one/integrations/identity-providers/). | diff --git a/src/content/partials/learning-paths/zero-trust/device-enrollment-permissions.mdx b/src/content/partials/learning-paths/zero-trust/device-enrollment-permissions.mdx index 8af7b928af61585..70b2a742d49c407 100644 --- a/src/content/partials/learning-paths/zero-trust/device-enrollment-permissions.mdx +++ b/src/content/partials/learning-paths/zero-trust/device-enrollment-permissions.mdx @@ -13,7 +13,7 @@ Device enrollment permissions determine which users can connect new devices to y ## Only allow corporate devices -Device posture evaluation happens after a device has already enrolled in your Zero Trust organization. If you want only specific devices to be able to enroll, we recommend adding a [mutual TLS authentication](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/) rule to your device enrollment policy. This rule will check for the presence of a specific client certificate on the enrolling devices. +Device posture evaluation happens after a device has already enrolled in your Zero Trust organization. If you want only specific devices to be able to enroll, we recommend adding a [mutual TLS authentication](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/) rule to your device enrollment policy. This rule will check for the presence of a specific client certificate on the enrolling devices. :::note diff --git a/src/content/partials/learning-paths/zero-trust/device-profiles.mdx b/src/content/partials/learning-paths/zero-trust/device-profiles.mdx index b227b3fcb91b699..53bc1b75ef4f71c 100644 --- a/src/content/partials/learning-paths/zero-trust/device-profiles.mdx +++ b/src/content/partials/learning-paths/zero-trust/device-profiles.mdx @@ -38,7 +38,7 @@ To customize the default settings: 5. Configure [global settings](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/#global-settings) for all device profiles: 1. (Recommended) Enable **Admin override code** if you turned on **Lock WARP switch**. - 2. Enable **Install CA to system certificate store** if you want users to see a [custom block page](/cloudflare-one/traffic-policies/block-page/). + 2. Enable **Install CA to system certificate store** if you want users to see a [custom block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/).